Skip to main content
A
Anonymous_User
Contributor
August 24, 2009

Troubleshooting Tip: Unable to delete a VDOM

  • August 24, 2009
  • 0 replies
  • 14293 views

Description

 
This article describes how to work around a problem that may be encountered when trying to delete a VDOM that is apparently no longer used.
 
Scope
 
Any supported version of FortiOS.


Solution

 
If the VDOM still has a configuration associated with it in any way, it cannot be deleted. This is a restriction that applies to removing any Firewall object.
 
Ensure that no interfaces are associated with the VDOM. There should be no addresses assigned or firewall policies. However, it is possible to delete a VDOM despite having the interfaces l2t.<vdom> and naf.<vdom>.

Use the following command to check which objects may still be associated with the VDOM:
 
diagnose sys cmdb refcnt show system.vdom.name <path.object.mkey> <vdom_name>
 
For example, to display the objects associated with the VDOM called 'second':
 
config global
diagnose sys cmdb refcnt show system.vdom.name second
 
Once all of these objects have been removed from the VDOM, it can then be deleted. 
 
entry used by table system.interface:name 'ssl.second'
entry used by table system.interface:name 'test0'
entry used by table system.interface:name 'test1'
entry used by table system.interface:name 'vdom link0'
entry used by table system.interface:name 'vdom link1'
entry used by table system.vdom-property:name 'second'
 
It is also possible to use the above command to find a system administrator who might still be linked to the VDOM trying to be deleted.
If there is any administrator tied to that VDOM, it will not be possible to delete it.
Another VDOM, called testing-vd, generates the following output:

 

Config global:
 

(global) # diagnose sys cmdb refcnt show system.vdom.name testing-vd
entry used by table system.interface:name 'l2t.testing-vd' (From 'global')
entry used by table system.interface:name 'naf.testing-vd' (From 'global')
entry used by table system.interface:name 'ssl.testing-vd' (From 'global')
entry used in table system.interface:name 'npu0_vlink1.testing-vd' (From 'global')
entry used by child table vdom:name 'testing-vd' of table system.admin:name 'admin' (From 'global')
entry used by table system.vdom-property:name 'testing-vd' (From 'global')

 

It is possible to see that this VDOM is being used by the admin user:

 

config system admin
    edit "admin"
        set accprofile "super_admin"
        set vdom "root" "testing-vd"
        set password ENC SH2M6KbuWYUrbgtJOsiDIMc9iKdw+vfzx5yVJJqoRa6g0dhppIoleoT+fXDRFY=
    next
end

 

To remove it, run the following:

 

config system admin
    set vdom root
end

 

That will allow the user to delete the VDOM in question. In my example, the VDOM is called testing-vd.

 

Additionally, the command to refresh/reset the reference count. Here I run it on both interfaces and the VDOM:

 

diagnose sys cmdb refcnt reset system.interface.name ssl.testing-vd

diagnose sys cmdb refcnt reset system.vdom.name testing-vd

 

Related articles:

Troubleshooting Tip : verifying FortiGate configuration objects references and dependencies with the CLI command 'diagnose system checkused'.
Technical Tip: How to delete a VDOM using the GUI and CLI 

Terms & ConditionsAccessibility statement